Solved: R82 cluster monitoring with Insights

marcyn · ‎2024-07-22

Hi Checkmates,

I have created my own lab with 2x 23500 with R82 EA configured as ElasticXL cluster.
Everything looks fine except one minor thing... I don't see any traffic in Insights -> Tools -> ConnView:

It doesn't matter if I use filter on the left to see particular traffic or not ... after I hit Search button - I see nothing.

Of course there is a traffic from host in "net1" (internal) to host in "net2" (external) - it goes via Check Point R82 (NAT+routing_firewall). I can see this traffic via tcpdump/cppcap/fw monitor ... in logs, etc.

On the other hand - the same looks perfect in TechPoint's Quantum R82 ElasticXL (EA Review):

Is there any requirement for this tool to be able to display connections ?
For example some process/daemon/etc. must be configured first ?

BTW
R82 looks amazing, especially ElasticXL in my opinion will be game changer !

--
Best
Marcin

ShaiF · ‎2024-07-23

After investigating the issue. We found out it is due to the fact connview tool (which insights ConnView tab is using) is not working with Kernel FW mode.
Solution is to change USFW.

View solution in original post

ShaiF · ‎2024-07-22

Hi Marcin,

You are correct and you should see the connection table with or without filter.

Unless your query exceeded max entries of 1000 on one of your cluster member. but in that case you should have seen pop up alert on insight mentioning this and tell you to narrow down your search by adding more filters.

I will install EA version and see if reproduce.

Will keep you updated.

Regards,

Shai

marcyn · ‎2024-07-22

Hi @ShaiF

Great, looking forward your test results.

Just to clarify - my lab is absolutely basic one ... I've just addressed two interfaces, added this cluster to SMS, changed CleanUp Rule to become PassAll, started the traffic flow ... and generally that's it.
Insights works great - I see a lt of statistics (first pane), alerts, etc ... only the last pane "doesn't like me" 🙂

Hopefully we will find why.

--
Best
Marcin

the_rock · ‎2024-07-22

Hey Marcin,

Is this cpview or something else? I have exl lab, so can check as well.

Andy

marcyn · ‎2024-07-22

Hi @the_rock,

This is new tool introduced in R82 for cluster monitoring (for ElasticXL and Maestro).

You can run it by executing command "insights" from gateway.

You will love this tool 🙂

--
Best
Marcin

the_rock · ‎2024-07-22

I used eve-ng for this, gives below...will see if that setting is in terminal settings, cant seem to find it lol

Andy

[Expert@CP-EXL-1-s01-01:0]# insights

Insights is supported only on terminals with settings of at least 190 columns and 25 rows.
Current terminal size is (columns = 72, rows = 19)
To watch information regarding your cluster use one of the following commands:
- From gClish:
> show cluster info ...
- From expert:
# cinfo --help

For best view of insights adjust your preferred terminal application with the following settings:
- Terminal type: xterm
- Font: consolas
- Encoding: UTF-8

[Expert@CP-EXL-1-s01-01:0]#

marcyn · ‎2024-07-22

just enlarge your terminal window to fulfill this requirement:

Insights is supported only on terminals with settings of at least 190 columns and 25 rows.

As you can see yours is like this:

Current terminal size is (columns = 72, rows = 19)

And then magic will happen 🙂

m.

the_rock · ‎2024-07-22

Never mind, I googled it quick, ran this command and now I see the menu. let me check it later on.

Andy

[Expert@CP-EXL-1-s01-01:0]# stty cols 200 rows 150

ShaiF · ‎2024-07-23

After investigating the issue. We found out it is due to the fact connview tool (which insights ConnView tab is using) is not working with Kernel FW mode.
Solution is to change USFW.

marcyn · ‎2024-07-23

Yes,

Thank you @ShaiF for this quick remote session.

And I can confirm what Shai just wrote.
We found out this:

[Expert@R82-01-s01-01:0]# connview
[Error] ConnView is not supported on a Security Gateway that runs the Firewall in the Kernel mode (KSFW). For more information, see sk167052.

And everything is clear now ... It is really "funny" because USFW as we know is enabled by default, but not for 23500 appliance ... which I have in my lab 🙂
/it looks like only this one particular model does not have it enabled by default ... lucky me 😉 /

After I switched to USFW I can see connections in insights.
So in case anybody else will have such "issue" it's just Firewall Mode.

Thank you Shai, it was resolved really fast 🙂

--
Best
m.

_Val_ · ‎2024-07-23

EDITED: My original statement was incorrect, now removed.

@ShaiF knows better 🙂

ShaiF · ‎2024-07-23

Hi Val,

In EA take FW mode depends on models and platform (EXL run USFW by default as well on some models and VM). In GA take all appliances and platforms (Single Gateway, ClusterXL, Maestro, EXL..) will have USFW by default.

Regards,

Shai.

the_rock · ‎2024-07-23

Hey @ShaiF @marcyn

Just for context, I tested it in elasticxl in eve-ng and shows user kernel mode is enabled.

Andy

elasticxl:

[Expert@CP-EXL-1-s01-01:0]# cpprod_util FwIsUsermode
1
[Expert@CP-EXL-1-s01-01:0]#

regular R82:

[Expert@R82-TEST-FW:0]# cpprod_util FwIsUsermode
1
[Expert@R82-TEST-FW:0]#

the_rock · ‎2024-07-23

Will check this in the lab later 🙂

Andy

Are you a member of CheckMates?

R82 cluster monitoring with Insights